Configure Centralized Control Policy

Configure Centralized Control Policy

Posted on Jan 27, 2020 (0)

Configure Centralized Control Policy

When Centralized Control Policy is configured on vSmart Controller, it affects the routing policy based on information present in OMP routes and TLOC of OMP. A policy is configured to match the routes and TLOC and then take action based on matches like redirecting packets via Network Services (FW, LB).

When we have multiple vSmart Controller, than all controllers must have same Centralized policy for network to remain stable.

This Policy contains a series of ordered number sequence matching –action which are evaluated in order and when a route or TLOC matches its associated actions are executed on that packet. If anything not matched then packet is by default rejected and discarded.

CLI Configuration Procedure:

Create Site List to which this Centralized control policy is to be applied.

vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id

Create list of IP Prefixes, TLOC and VPN as required.

vSmart(config)# policy lists
vSmart(config-lists)# prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length
vSmart(config)# policy lists
vSmart(config-lists)# tloc-list list-name
vSmart(config-lists-list-name)# tloc address color color encap encapsulation [preference value]
vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id

Create a control policy instance:

vSmart(config)# policy control-policy policy-name

Create a series of match–action pair sequences:

vSmart(config-control-policy-policy-name)# sequence number

Define match parameters for routes and for TLOCs:

vSmart(config-sequence-number)# match route route-parameter
vSmart(config-sequence-number)# match tloc tloc-parameter

Define actions to take when a match occurs:

vSmart(config-sequence-number)# action reject
vSmart(config-sequence-number)# action accept export-to (vpn vpn-id | vpn-list listname)
vSmart(config-sequence-number)# action accept set omp-tag number
vSmart(config-sequence-number)# action accept set preference value
vSmart(config-sequence-number)# action accept set service service-name (tloc ip-address| tloc-list list-name) [vpn vpn-id]
vSmart(config-sequence-number)# action accept set tloc ip-address color color [encapencapsulation]
vSmart(config-sequence-number)# action accept set tloc-action action
vSmart(config-sequence-number)# action accept set tloc-list list-name

If no match is found in any of the sequences, it will be rejected, and if for non-matching traffic you want acceptance, you need to configure default action policy.

vSmart(config-policy-name)# default-action accept

Apply the policy to one or more sites in the Viptela overlay network:

vSmart(config)# apply-policy site-list list-name control-policy policy-name (in | out)

If the action you are configuring is a service, configure the required services on the vEdge routers so that the vSmart controller knows how to reach the services:

vEdge(config)# vpn vpn-id service service-name address ip-address


Prefixes can be used as given below:

  • Prefix/length— Exactly match a single prefix–length pair.
  • 0.0.0/0—Match any prefix–length pair.
  • 0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip prefix le 24 matches all IP prefixes with lengths from /1 through /24.
  • 0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix ge 27 matches all IP prefixes with lengths from /27 through /32.
  • 0.0.0/0 ge length1 le length2, or le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes.


Each TLOC is specified by 3 tuple like its address, color, Encapsulation, in which address is its system address, color is WAN link color and encapsulation is gre or ipsec.

OMP Route Match Attributes:

  • Tag value associated with the route or prefix in the routing database on the vEdge router: Match OMP Tag omp-tag number 0 through 4294967295.
  • Protocol from which the route was learned: Match Origin origin protocol bgp-external, bgp-internal, connected, ospf-external1, ospf-external2,ospf-intra-area, static
  • IP address from which the route was learned: Match Originator originator ipaddress
  • Individual site identifier: site-id site-id 0 through 4294967295
  • One or more overlay network site identifiers: Match Site site-list listname one or more TLOC addresses. Match TLOC tloc-list listname

TLOC Route Match Attributes

  • Carrier for the control traffic : Match Carrier carrier carrier-name default, carrier1 through carrier8
  • One or more colors : List color-list list-name
  • Domain identifier associated with a TLOC: domain-id domain-id 0 through 4294967295
  • Tag value associated with the TLOC route in the route table on the vEdge router: omp-tag Number 0 through 4294967295
  • IP address from which the route was learned. Match Originator originator
  • How preferred a TLOC route is. This is the preference value that the TLOC route has in the local site, that is, in the route table on the vEdge router. A higher preference value is more preferred.Preference number 0 through 255
  • One or more overlay network site identifiers: site-list listname
  • One or more TLOC addresses: tloc-list listname

Action Parameters:

  • Export the route the specified VPN or list of VPNs (for a match route match condition only): export-to (vpn vpn-id | vpn-list vpn-list)
  • Change the preference value in the route, prefix, or TLOC to the specified value. A higher preference value is more preferred: set preference number 0 through 255
  • Specify a service to redirect traffic to before delivering the traffic to its destination: set service service-name (tloc ipaddress | tloc-list listname) [vpn vpn-id]. Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2, netsvc3, netsvc4
  • Change the TLOC address, color, and encapsulation to the specified address and color: set tloc ipaddress
  • Color color [encap encapsulation]
  • Direct matching routes or TLOCs forwards the traffic to its ultimate destination: set tlocaction
  • Action [ ecmp , primary , backup strict ]
    • ECMP: Equally send traffic between immediate destination and the ultimate destination
    • Primary: Send the matching traffic to intermediate destination and if this router is not reachable than send the traffic to final destination.
    • Backup: First send direct matching traffic to Final destination and if that router is not reachable than send it to intermediate destination.
    • Strict: Send the matching traffic to intermediate destination only.


Example 1: Traffic Engineering

 In this example we can take topology like hub and spoke, where any Spoke vEdge Router want to send traffic to another vEdge router will send the traffic to hub, Ipsec connection are between spokes to hubs.

This design can be achieved by creating policy that changes TLOC associated with the routes in local network. Let’s see the topology:

TLOC for vEdge Site 1 is { , Gold , ipsec  } , TLOC for vEdge Site 2 is { Gold , ipsec  } and TLOC for hub is { Gold ipsec } .

Here Site 2 vEdge advertises the prefix with TLOC {, Gold ipsec} to vSmart, and now requirement is all traffic from Site 1 should go to hub Site whose TLOC is { Gold ipsec}. To make this happen a policy is created to change the TLOC of route from to When this policy is in effect, the vSmart will advertise the OMP routes for prefix to Site 1 vEdge router with modified TLOC of instead of

The vEdge hub router also learns the TLOC of Site 1 and Site 2 from OMP routes advertised by vSmart, As the Hub router will use this two TLOC , so that hub router will forward the traffic to proper destination.

prefix-list Site2-prefixes
site-list Site1-sites
site-id 1
control-policy change-tloc
sequence 10
match route
prefix-list Site2-prefixes
site-id 2
action accept
set tloc color gold encap ipsec
site Site1-sites control-policy change-tloc out

Example 2: Traffic Engineering (Redundancy)

  • VEdge hub Site 1, with TLOC, all data traffic from branches on the Site 1 side of the overlay network to pass through and be processed by this vEdge router.
  • vEdge hub Site 2, with TLOC, gold. Similarly, we all Site 2 side data traffic to pass through the Site 2 vEdge hub.

site-list Site1-sites
site-id 1
site-list Site2-sites
site-id 2
tloc-list Site1-hub-tlocs
tloc-id gold
tloc-list Site2-hub-tlocs
tloc-id gold
control-policy prefer-Site1-hub
sequence 10
match tloc
tloc-list Site1-hub-tlocs
action accept
set preference 50
control-policy prefer-Site2-hub
sequence 10
match tloc
tloc-list Site2-hub-tlocs
action accept
set preference 50
site Site1-sites control-policy prefer-Site1-hub out
site Site2-sites control-policy prefer-Site2-hub out

Here prefer-Site1-hub affects OMP routes destined to TLOC, gold, which is the TLOC address of the Site1 vEdge hub router. This policy modifies the preference value in the OMP route to a value of 50, which is large enough which means no other OMP routes will have a larger preference and setting a high preference value directs traffic destined for site 100 to the Site1 hub router.


    You are will be the first.


Please login here to comment.